CyberWire Daily - Voting machine woes. Router exploits trouble Brazil, Bitpoint alt-coin exchange investigates theft. Facebook fined $5 billion. Power failures probably unrelated to cyberattacks. Amazon Prime phishing.
Episode Date: July 15, 2019Upgraded voting machines may not be as secure, or as upgraded, as election officials seem to think. Criminals continue to exploit routers in Brazil. A Japanese cryptocurrency exchange shuts down while... it investigates a multimillion dollar theft. The Federal Trade Commission fines Facebook $5 billion over privacy issues. Weekend power outages seem not to have been the result of cyberattacks. Another city sustains a ransomware attack. Shop carefully on Amazon Prime Day. Joe Carrigan from JHU ISI on Apple pushing an update to mitigate Zoom conferencing app vulnerabilities. Guest is Patrick Cox from TrustID on government agencies using inadequate ID authentication via phone. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Upgraded voting machines may not be as secure or as upgraded as election officials seem to think.
Criminals continue to exploit routers in Brazil.
A Japanese cryptocurrency exchange shuts down while it investigates a multi-million dollar
theft. The Federal Trade Commission fines Facebook $5 billion over privacy issues.
Weekend power outages seem not to have been the result of cyber attacks.
Another city sustains a ransomware attack. And shop carefully on Amazon Prime Day.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 15, 2019.
The Commonwealth of Pennsylvania has announced its determination to upgrade its election security before 2020,
and it's spent more than $14 million in funds, mostly contributed to the state by the federal government, to do so.
But this upgrade hasn't proceeded happily.
The Associated Press reported in an exclusive over the weekend that county election authorities have, for the most part,
gone with voting machines running Windows 7,
an operating system that will reach its end of life in January. The systems are used,
the AP says, quote, to create ballots, program voting machines, tally votes, and report counts,
quote. All of this is, as the engineers would delicately put it, suboptimal, and no one is particularly happy about it.
U.S. Election Assistance Commission Chair Christy McCormick told the AP using Windows 7 systems, quote,
is of concern and it should be of concern, end quote.
The largest U.S. voting system vendor, ES&S,
say they've got arguably more secure Windows 10-based systems coming soon
and that they're working with Microsoft
to provide Windows 7 security upgrades until all systems came to be converted to the latest
version of the OS. This is not an unfamiliar problem with Internet of Things generally.
Vendors modify operating systems in ways that tend to prolong their life beyond the intended limits.
There may also be a standards issue here.
County election officials tend to take certifications as solid evidence that their systems are secure. But the AP's story goes on to say that Citizens for Better Elections,
an advocacy group, says that many county election officials seem to be unaware that
many of the systems they intend to use were certified under 2005 standards.
In any event, vulnerabilities in systems that count and report votes would open the possibility of direct manipulation of elections,
a step beyond the kind of influence operations foreign actors have deployed in the past.
Avast follows up the trend toward cross-site request forgery attacks against routers with a report on the exploit kits used.
The attacks had been noted earlier by Radware and NetLab.
Victims continue to be concentrated in Brazil.
Coindesk reports that Japanese altcoin exchange Bitpoint has halted all activity while it investigates the theft of some $32 million in cryptocurrency.
activity while it investigates the theft of some $32 million in cryptocurrency.
The exchange noticed there was a problem when it observed anomalous behavior in a hot wallet.
The Wall Street Journal reported late Friday that the U.S. Federal Trade Commission has approved a $5 billion settlement in the matter of Facebook privacy missteps
in connection with the Cambridge Analytica data scandal.
The commission divided
along partisan lines in their vote. The three Republicans approved the FTC's proposed settlement,
while the two Democrats saw things to dislike in it. The agreement, which now goes to the
Department of Justice Civil Division for final review, is expected to include provisions for
closer privacy oversight of the social network, but those details weren't immediately available.
It's thought the partisan divide may have been over the character of the oversight measures.
As heavy a burden as $5 billion may be,
congressional critics of the fine point to Facebook's very high revenues,
which were, The Washington Post notes, $15 billion for the last quarter alone.
Facebook had expected a heavy fine,
and in that same quarterly report said that it had put aside funds to cover that eventuality.
Another way of looking at the matter is in terms of profit per employee.
At Facebook, that's over $634,000 per employee per year,
a record for the tech sector, according to Silicon Valley Business Journal.
Nonetheless, it's hard to regard $5 billion as chump change, even around Menlo Park.
The settlement easily sets a record for penalties imposed for violating an FTC order.
The previous record was a $22.5 million fine against Google in 2012,
which in relative terms is chicken feed.
The FTC has greater latitude in punishing repeat offenders,
and were Facebook not a privacy recidivist,
it might have gotten off easier.
On the other hand, a number of observers,
including some members of Congress,
think the penalty amounts to a slap on the wrist.
An opinion piece in The Verge agrees,
arguing that Facebook has behaved badly since its foundation
and that it has consistently escaped accountability for such missteps
as those on display in the Cambridge Analytica affair.
The GAO recently published a report,
Federal Agencies Need to Strengthen Online Identity Verification Processes, published a report, federal agencies need to strengthen online identity verification processes,
urging federal agencies to up their game when it comes to user authentication.
Patrick Cox is founder of TrustID, a company that specializes in call authentication.
The traditional way, I say traditional meaning maybe the last 10 or 15 years,
the way authentication has worked in these channels is primarily asking
questions, right? We all know the drill. What's your mother's maiden name? What's your date of
birth? What's your social security number? Things like that. And that's broken. That's really what
led us here today is that that information is just totally broken. And so what are the
alternatives then? Well, three ways to authenticate somebody. One, obviously, is asking questions, and that's called knowledge-based identity proofing.
The second one would be ownership.
So you think about a credit card, a physical, unique device, right?
That would be ownership authentication.
Having a device, a key, for example, a key to a safety deposit box would be an ownership token.
And the final one is what we'd call inherent, something you
inherently are. So a fingerprint, a retinal scan, a DNA, things like that would indicate who you
are. Those are the only three tools we have in the authentication arsenal. So questioning is really
easy to understand why you do that, especially over a phone call, because it's hard to,
if not impossible, to get a fingerprint or something over a phone call, right? So it becomes more challenging. I know one of the
concerns here is that if you move to a digital method, if you do something that requires something
like a mobile device, well, not everybody has a mobile device. Absolutely true. And so what we've
been advocating for, in fact, we do this millions and
millions of times each day for some of the largest financial institutions in the country,
is relying far less on the asking of questions, right? The knowledge information, that whole
approach, frankly, is broken because criminals know your date of birth, right? It's on social
media. It's been shared. The sad news with all the data breaches and hacks and
so on out there, they have your social security number, they have your address, they have your
mortgage payment information. The information has been shared with the bad guys. And so what we
advocate for is using more ownership authentication. So if you're calling from a mobile phone, as you
say, Dave, it's pretty common sense to say, hey, we can make sure that mobile phone is unique. It's not duplicated. It's actually engaged in the
interaction. It's in that person's possession because they've obviously used some sort of
probably inheritance method, right? They've used a facial scan or a fingerprint or a passcode to
get access to that phone. That's great. And then also it's nice though, on a phone call,
even if it's a landline, you can do the same thing for landline phones. Yes. Which is great, right? Now you've got
basically a hundred percent coverage because if the person is able to call in, then they can
identity proof with that ownership token, the phone itself doesn't have to just be mobile.
It can be landline as well. And is that like, is something as simple as a callback system where
they're calling you so they know the number they're calling or I guess using some sort of caller ID to verify the number you're calling from?
Yeah, so you'd use the caller ID information, which is great.
However, you've probably heard of a thing called spoofing where criminals and others can fake your phone number.
So if you can solve for the spoofing problem, and there's technology today that does that, and also if you can solve for what we call the virtualization problem, and there's technology that solves that.
When I say virtualization, think about calls from Skype or Google Voice, right?
It's not really a physical device.
It's not really a physical location.
It's more of a virtual login, username, and password.
You can deal with that technology and be able to identity-proof these calls if you can solve for the spoofing and virtualization problems.
And again, as I said, there's really proven technology out there to do those things.
That's Patrick Cox from TrustID.
Deutsche Welle reports that an unprecedented power failure yesterday affecting Argentina,
Uruguay, and Paraguay remains under investigation,
but Argentina's energy ministry says a cyber attack is not among the main alternatives being considered.
MSNBC quotes New York City's Mayor de Blasio, saying the city is as certain as we can be that Manhattan's weekend blackout was not caused by a cyber attack.
Power has been largely restored in both instances.
Official announcements concerning grid failures
now routinely address the possibility of cyber attack.
The Syracuse City School District in central New York State
has confirmed that a cyber incident it sustained last week
was in fact a ransomware attack.
This is the most recent in a string of ransomware attacks
against local governments and their services.
Syracuse schools haven't yet brought their systems back online.
The town of New Bedford, Massachusetts also sustained a recent cyber attack,
but the city is keeping quiet about the details, acting, it says,
on the advice of the security consultants it's hired to help with recovery.
And it's Amazon Prime Day, as you may have noticed.
Even if you haven't noticed, the grifters, scammers, the hoods all have.
Amazon Prime is being used as fish bait all over the place.
So shop carefully.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Joe, it's good to have you back.
It's good to be back, Dave.
Joe, we have been following this story about Apple and Zoom,
the conferencing software, and how Zoom had installed a web server on Macs
and if you uninstalled the Zoom app, this web server would stay behind.
Correct.
Zoom says to facilitate easier reinstallation of the app.
Right. Well, the vulnerability actually stems from a problem with this ease-of-use feature, if you want to call it that, that Zoom was insisting on now since backtracked from it.
But the idea that when I click the link, it just works.
Zoom just comes up and I'm teleconferenced in.
And the person who administers the Zoom conference can turn my camera on and my microphone on
so that presumably I don't have to sit there going,
how do I get my audio connections to work?
Just like I did this past Tuesday in a WebEx meeting.
Exactly.
What happened to me?
Yes.
They are there.
Yes.
I had to type in the chat and say, hold on, let me set my audio settings right.
Yeah, we've all been through that for sure.
And Zoom is, from a user perspective, saying, well, that's too much.
Let's just do this.
Well, that is also too much, apparently.
But really what's interesting in this is that the Apple version of the software contained a web server on your machine
that even after you uninstalled Zoom, when you clicked on another link,
this web server would help reinstall
the software again, and it was seamless.
So the user didn't see it getting installed.
Apple then, this week, late this week, has pushed out an update that goes in, a silent
update that goes in and removes this server from your machine.
Right, right.
Now, this I find interesting as well. There's a person on Twitter. His name is Eric Capuano, and I think he captured this in this tweet. He said, InfoSec Twitter, how dare you silently install a vulnerable web server on my system? Also InfoSec Twitter, how dare you silently remove a vulnerable web server from my system?
Right.
Everyone else. I guess there was a bad thing that could turn on my camera, but it's gone now.
Right, yeah.
Yeah.
That's right.
But what do you make of this, some people pushing back on Apple's capability to silently alter your computer.
Right.
Uninstall software.
Uninstall software from what they say are for security reasons, and in this case, that is absolutely true.
Correct.
What do you make of people getting spun up about that?
I don't know.
I mean, I tend to think that when you buy an Apple device, you're going into the Apple ecosystem.
Right?
And part of that ecosystem is they have a security culture, and they have the idea that the user is not really in control of their computer experience.
To the degree they are with other OSs.
Right.
This is the main reason I don't like Apple.
As a guy who comes from a technical background, I enjoy using Windows machine or Linux machines.
Right.
I don't want the Apple experience.
I don't want them telling me what to do.
So if you don't want Apple
Behaving this way don't buy an apple right right
But the vast majority of people just like it's like this tweet says are have the attitude that hey there was something bad and Apple Took care of it. Yeah, we're good here. We're good. We're done. Mm-hmm
You know and and I think that what really?
Prompted Apple to do this was the fact that zooms web server didn't uninstall as part of the app uninstall.
That's probably in violation of the developer agreement.
I would imagine so.
I don't know that it is.
I'm not an app developer for Apple.
Yeah, it makes sense that it would.
It's just it's bad form, if nothing else, to leave behind a web server running after your user has requested that your software be uninstalled.
Right, exactly.
Yeah.
There's an article Zach Whitaker wrote over on TechCrunch,
and part of it includes a quote from a spokesperson from Zoom who said,
we're happy to have worked with Apple on testing this update.
Yeah.
I'm just guessing what that conversation was like.
Everybody's all grins over there, right?
Right.
I'm just imagining Apple saying conversation was like. Everybody's all grins over there, right? I'm just imagining Apple speculating here, but thinking that Apple's saying, okay, so here's what's going to happen.
Right.
And Zoom's saying, okay, you're right.
Yep, okay, very good.
We're good.
We're good.
We have a lot of computers that we want to have access to.
Right.
Yep, okay.
Right, right.
I mean, like I said, this is why you buy an Apple.
Right, right.
I mean, this is, like I said, this is why you buy an Apple.
It's because of the security posture and because a lot of this maintenance,
which you'd have to do yourself on other operating systems, is handled by Apple themselves.
Yeah.
All right.
Well, it's an interesting kerfuffle, and certainly, I mean, it's a security event as well.
It is.
Yeah.
All right.
Well, Joe Kerrigan, as always, thanks for joining us.
My pleasure, Dave. Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. For more stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.